Integration of k5start/krenew functionality

Russ Allbery rra at
Fri Jul 31 15:30:53 EDT 2009

ghudson at writes:

> At the request of an OS vendor, we are looking into adding the
> functionality of k5start and krenew for the 1.8 release.

Does that include the AFS token and PAG support?

> I've written up an early project proposal at:
> I'm interested in feedback particularly on the interface design options.
> I do not yet have strong opinions about what the interface should look
> like, and am willing to spent a little extra time to get it "right" as
> opposed to just taking an easy option.
> has links to the man pages
> for k5start and krenew, which may be instructive background.

> I'm also interested in any concerns Russ or packagers of the kstart
> code might have about the way we do this.

To note, while the copyrights note that kstart was originally derived from
the kinit code, what it means by that is that the Kerberos v4 k4start was
originally based on the Kerberos v4 kinit code and then k5start was based
on k4start.  You'll find that k5start doesn't have much resemblence to
kinit except insofar as the library API forces similarity.  (Not that this
matters for what you're planning on doing, but I thought I'd clarify.)

My guess is that I would continue to maintain kstart as a separate
package, which may influence how you decide to incorporate the
functionality.  It doesn't change a great deal, but I have found at least
one major new feature to add each year for quite some time.  The next
release, for instance, already has the following significant changes

    k5start and krenew now catch SIGALRM and immediately refresh the
    ticket cache upon receiving it, even if the ticket isn't expired.

    Add the -i option to krenew, which says to keep running even if there
    is an error renewing the ticket cache.  This is useful if the ticket
    cache renewed by krenew may expire and then later be renewed (such as
    with a manual kinit) and krenew is expected to wake up again and
    process the new ticket cache.

    Re-run aklog even if the ticket is still valid when -H is used in
    combination with -t.  We don't check whether the token is valid, so
    it's safer to always re-run aklog.  We may be setting a token in a new
    PAG using an existing ticket cache.

I have plans to extend the -i option to k5start in the future.  See also
the TODO file in the distribution for other things that should/could be

If you want to integrate the code from kstart, please start from the
current Git repository rather than the last release.

Something else to be aware of if you're looking at incorporating the
current code is that kstart has an extensive test suite that (in the
version in the Git repository) uses C TAP Harness to drive it.  I suspect
you'll want some or all of that test suite for the code in MIT Kerberos,
although as currently written it requires Perl to run.

Russ Allbery (rra at             <>

More information about the krbdev mailing list